User Authentication for a Resource Using Context Based Encryption of Authentication Tokens

The present disclosure relates generally to authenticating a user prior to allowing a user access to a resource through the use of authentication tokens.

In modern computing environments, highly sensitive data is often transferred between network identities and various resources, such as web-based applications. Before allowing users or entities access to data or resources associated with web-based applications, it may be necessary to authenticate the user to avoid malicious actors gaining access to sensitive data.

However, some techniques require a user to go through multiple steps in order to proceed with an authentication process. For example, an authentication process may begin with a user attempting to access an application and initiate the authentication process. The user may then generate an authentication request and be redirected to an external identity provider. The external identity provider may require a user to enter credentials such as a user name and password, which the external identity provider may authenticate. If the authentication is successful, the external identity provider may generate a security token to indicate that the user is authenticated, and return the token to the application through a secure method. The application may then verify the authenticity of the token, and upon determining the token is valid, grant a user access to the application. This type of solution uses external identity providers to handle the authentication process. However, there are drawbacks to this approach. Redirecting users to an external service means additional steps for the user, which may impact the user experience and lead to workarounds that compromise security. In addition, users may be disrupted in the transition from the application and the external service, especially if authentication requires multiple redirections. These problems may persist and become frustrating if a user must access an application often. Further, this authentication method is only useful for web applications that use cookies. This solution does not work for non-web based applications. Some solutions for non-web based applications use authentication token, where the tokens are commonly stored in cleartext on the user machine, which poses a security risk.

Therefore, there is a need for solutions that allow a user to quickly and efficiently authenticate, while allowing a user to store authentication tokens securely on a computing device associated with the user. The user authentication token solutions described herein may be securely stored on a user machine using, for example, two dynamic elements—a personal security PIN that is only known to the user and a source IP address that is unique to a user's client machine. The PIN and the source IP address may not be stored anywhere else, thus increasing the security of the authentication process.

The disclosed embodiments describe non-transitory computer readable media, systems, and methods for performing operations for enabling recurrent use of authentication tokens. As described herein, the authentication tokens in their original form may not be exposed in a clear text format. For example, in some embodiments, a non-transitory computer readable medium may include instructions that, when executed by at least one processor, cause the at least one processor to perform operations for enabling recurrent use of authentication tokens. The operations may comprise identifying, by a computing device, and during a first time, a first request by a user to access a resource; receiving from an identity provider service, a token for authentication of the user; encrypting the token based on a secret inputted by the user and first contextual data associated with at least one of: the user, the resource, or a source of the first request; identifying, by the computing device, and during a second time later than the first time, a second request by the user to access the resource; receiving the secret inputted by the user; decrypting the second token based on the user input and second contextual data associated with the second request, the second contextual data being associated with at least one of: the user, the resource, or a source of the second request; and based on validating the decrypted token with the identify provider service, determining whether the user is permitted to access the resource.

According to a disclosed embodiment, the second request may use a native remote protocol, and the computing device may be configured to cause a display of a user interface to the user.

According to a disclosed embodiment, receiving the token for authentication of the user may be based on authenticating the user by the identity provider service based on an authentication credential associated with the user in relation to the first request.

According to a disclosed embodiment, the first contextual data and the second contextual data may comprise at least one of an IP address, username, local time zone, operating system version, or a host name.

According to a disclosed embodiment, the operations may further comprise denying the user access to the resource.

According to a disclosed embodiment, denying the user access to the resource may be further based on at least one of: a failure of the decrypting of the encrypted token, a difference between the encrypted token and the decrypted token, a failure based on a mismatch between the first contextual data and the second contextual data, or a mismatch between the secret inputted by the user for the first request and the secret inputted by the user for the second request.

According to a disclosed embodiment, the operations may further comprise requesting the user to load the secret after the second request is received and identifying the second contextual data.

According to a disclosed embodiment, the resource may be on-premises.

According to a disclosed embodiment, the secret may be one of a personal identification number (PIN), password, or passphrase.

According to a disclosed embodiment, the operations may further comprise based on encrypting the token, enabling the downloading of the encrypted token to a storage location of the computing device.

According to a disclosed embodiment, the operations may further comprise, after encrypting the token, decommissioning the secret and the first contextual data, wherein the resource and the computing device does not persistently store the secret.

According to a disclosed embodiment, the token may be configured to expire after a predetermined time period.

According to a disclosed embodiment, the time interval from the first time to the second time may be less than the time period.

According to a disclosed embodiment, the operations may further comprise identifying, by the computing device and during a third time later than the second time, a third request by the user to access the resource and based on determining that the token has expired before the third time, sending, by the resource and to the identity provider service, a request to authenticate the user, and displaying, by the resource, an indication of the authentication to a user interface.

According to a disclosed embodiment, the operations may further comprise supplementing the token with information including at least one: an identification of the resource, a username of the user, or a digital signature.

According to a disclosed embodiment, the resource may be configured to not persistently store the secret, the first contextual data, and the second contextual data.

According to a disclosed embodiment, encrypting the token based on the secret inputted by the user and the first contextual data may comprise encrypting the token using the secret to produce an intermediate output, and encrypting the intermediate output using the first contextual data to produce the encrypted token.

According to a disclosed embodiment, the operations may further comprise associating the encrypted token with a mobile application, and requesting, via the mobile application, biometric authentication of the user when the encrypted token is used for authenticating the user.

According to a disclosed embodiment, the operations may further comprise adding the encrypted token to at least one of a file associated with the resource or a storage location associated with the resource; and activating the file or retrieving the encrypted token from the storage location to request access to the resource for the user.

Aspects of the disclosed embodiments may include tangible computer-readable media that store software instructions that, when executed by one or more processors, are configured for and capable of performing and executing one or more of the methods, operations, and the like consistent with the disclosed embodiments. Also, aspects of the disclosed embodiments may be performed by one or more processors that are configured as special-purpose processor(s) based on software instructions that are programmed with logic and instructions that perform, when executed, one or more operations consistent with the disclosed embodiments.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only, and are not restrictive of the disclosed embodiments, as claimed.

In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the disclosed example embodiments. However, it will be understood by those skilled in the art that the principles of the example embodiments may be practiced without every specific detail. Well-known methods, procedures, and components have not been described in detail so as not to obscure the principles of the example embodiments. Unless explicitly stated, the example methods and processes described herein are not constrained to a particular order or sequence, or constrained to a particular system configuration. Additionally, some of the described embodiments or elements thereof can occur or be performed simultaneously, at the same point in time, or concurrently.

The techniques for authentication described herein overcome several technological problems relating to security, efficiency, and functionality in the fields of cybersecurity and secure access to data, code, or applications.

Reference will now be made in detail to the disclosed embodiments, examples of which are illustrated in the accompanying drawings.

illustrates an example system environmentfor authentication of a resource. The various components of systemmay communicate over a network. Such communications may take place across various types of networks, such as the Internet, a wired Wide Area Network (WAN), a wired Local Area Network (LAN), a wireless WAN (e.g., WiMAX), a wireless LAN (e.g., IEEE 802.11, etc.), a mesh network, a mobile/cellular network, an enterprise or private data network, a storage area network, a virtual private network using a public network, a nearfield communications technique (e.g., Bluetooth, infrared, etc.), or various other types of network communications. In some embodiments, the communications may take place across two or more of these forms of networks and protocols. While system environmentis shown as a network-based environment, it is understood that in some embodiments, one or more aspects of the disclosed systems and methods may also be used in a localized system, with one or more of the components communicating directly with each other.

Systemmay also include computing components. Computing componentsmay include or be part of a computing device and may include a user interface, such as user interface, computer data storage, a browser engine, a rendering engine, a secure web browser, a data persistence layer, and any other components necessary to run a web browser. In some embodiments, computer data storage may comprise computer components and recording media that are used to retain digital data. Data may be stored in memory, on servers, or in cloud computing environments. Computer data storage may be managed using a central processing unit of a computer. The browser engine may receive input from a user interface (e.g., interface) and process it to command a rendering engine. This browser engine may be used to provide an interactive user experience. For example, when a user clicks or selects an element on a user interface (e.g., interface), the browser engine may ensure that the browser redirects to the clickable element. In some embodiments, the browser engine is an intermediary between the user interface and a rendering engine. The rendering engine may be a component responsible for rendering web content, such as HTML, CSS, or JavaScript, etc., into a visual display on a user interface.

A secure web browser may include a dedicated web browser application, or a plug-in (also referred to as an “extension”) to a non-dedicated web browser, having a built-in module performing the disclosed techniques (in some embodiments, in combination with an additional application or process (“agent”) installed or operating in association with the network identity's machine). A data persistence layer may be part of the data storage. The data persistence layer may help a browser to store data locally, such as cookies, local cache, or the like.

Systemmay also include a user interfacewith which a usermay interact. In some embodiments, user interfaceenables a userto input data to computing components. In some embodiments, information inputted to user interfacecan be in various formats. For example, user interfacecan include a keyboard, mouse, and a display such that usercan type information via a keyboard in a designated area on the display or draw information using the mouse. Activities of usermay include taking notes or entering information on user interfacein real-time. User interfacemay also allow a user, such as user, to create a first requestto access a resource. First requestmay be, for example, a Hypertext Transfer Protocol (HTTP) request formatted in HTTP protocol to initiate an action. In some embodiments, first requestmay be a request for data. In some embodiments, first requestmay be a request to access a resource, such as resource.

Systemmay also include a resource. Resourcemay refer to anything that can be used to perform a computing task. Resourcemay be any hardware or software accessible by a computer via a network, such as network, or any other object connected to a computer, such as computing components. Resourcemay also refer to data storage, such as a database. Resourcemay also refer to computer servers, storage servers, or management servers. A computer server may be a device or computer that manages network resources and provides services to other computers over a network. A storage server may be a device or software application that stores, manages, and secures data and applications across a network or through the Internet. A management server may refer to a central component of a system that may be used to handle hardware and software configurations, monitor a system, provide security updates to a system, provide backups to a system, manage users and access control, and perform server-side security measures. A management server may also be used to manage container orchestration, such as managing the deployment, scaling, integration, and lifecycles of containerized applications or software. In some embodiments, resourcemay be a shared resource. A shared resource may be, for example, a printer or a network server that allows multiple users to access multiple computers to access the same resource.

Systemmay also include token. In some embodiments, tokenmay include an object that represents the right to perform an operation, including but not limited to security, access, and control. In some embodiments, the right to perform an operation may also identify an identity that is able to perform the operation. For example, an identity may be referenced according to a security policy or access-control policy to determine whether the identity can perform an operation. According to some embodiments, tokenmay include an exclusive or particular object that represents the right to perform an operation, including but not limited to security, access, and control. In some situations, the rights to perform operations may be based on an Active Directory™ framework, CyberArk Privileged Access Management™ framework, AWS Identity and Access Management™, or various other alternatives. Tokenmay be random or contain pseudo-random characters, biometric-based characters, or other unique data. Tokenmay also refer to authentication data, such as a password, cryptographic key, certificate, etc. For example, a cryptography random generator may include a process for creating cryptographically strong random values. This may be performed using, for example, a cryptographically secure pseudorandom number generator (CSPRNG) or cryptographic pseudorandom number generator (CPRNG). The values produced by the cryptography random generator should exhibit properties including, but not limited to, appearing random, being unpredictable in advance, and not being reliably reproduced after generation.

Systemmay also include identity service provider. Identity service providermay be a server, personal computer, virtual instance, container instance, or other computing device or service. Identity service providermay store and manage users' digital identities associated with one or more components of system. In some cases, identity service providermay be a third-party identity management service (e.g., CyberArk Identity™, Microsoft's Active Directory Federation Services™, AWS AIM™, Azure AD™, Okta™, or others). Such services may manage credentials for access to data or resources, such as resource. Identity service providermay verify and authenticate users based on, for example, an authentication token, username-password combination, or any other method of verifying and authenticating a user's identity. Identity service providermay authenticate a user and provide an indication to resourceof the authentication, which may allow a user to access resource. Tokenmay be used to grant access to the user. Authentication may occur, for example, through the use of a privileged credential (e.g., password, SSH key, symmetric (e.g., public/private) key, or other type of cryptographic data or privileged access token). In some embodiments, identity service providermay identify different levels of identities that may be recognized by resource. Each level may be associated with certain privileges. For example, there may be three levels of identities recognized by resource, each with its own unique set of privileges. When identity service providerauthenticates a user, it may indicate to resourcewhat type or level of identity the user is. Identity service providermay be used to manage digital identities of users to determine whether or not someone has access to sensitive data or resources, such as resource. In some embodiments, records of user identities also must be securely stored to ensure that hackers and malicious actors cannot use these identities to impersonate a user.

Systemmay also include encrypting module. In some embodiments, encrypting modulemay perform encryption of token. For example, tokenmay be encrypted in its entirety. In some embodiments, only sensitive data associated with tokenmay be encrypted. The encryption may be done symmetrically (e.g., using techniques such as AES, Blowfish, CAST5, RC4, DES, 3DES, etc.) or asymmetrically (e.g., using techniques such as Diffie-Hellman, DSS, RSA, YAK, etc.). In some embodiments, encrypting modulemay comprise the use of an encryption key. An encryption key may include a piece of information, usually a string of numbers or letters that may, for example, be stored in a file, which, when processed through a cryptographic algorithm can encode or decode cryptographic data. In some embodiments, the encryption key is randomly generated by a cryptographically secure pseudorandom number generator (CSPRNG) or cryptographic pseudorandom number generator (CPRNG). In some embodiments, the encryption key may be a function of contextual metadata associated with a user or a request. In some embodiments, if the encryption key is generated as a function of contextual metadata associated with the user or the request, the encryption key may not be generated using a random number generator. In some embodiments, the encryption key may be a function of contextual metadata associated with the user or the request and a secret input by the user, consistent with disclosed embodiments.

Systemmay also include second request. User interfacemay allow userto create a second requestto access resource. In some embodiments, second requestoccurs at a time later than first request. In some embodiments, after a user makes second request, tokenmay be decrypted. In some embodiments, systemmay determine that userhas access to resource, as shown at permitted access. The userbeing permitted accessmay or may not receive a notification or prompt of the access. For example, permitted accessmay include a success or confirmation prompt in a graphical user interface or the like. Alternatively, the user being permitted accessmay simply be able to access an access-restricted network resource (e.g., application, database, server, data, etc.). In some embodiments, the determination that userhas access to resourcemay be associated with either first requestor with second request. In other embodiments, the determination that userhas access to resourcemay be associated with both first requestand with second request.

is an example authentication system environment, consistent with disclosed embodiments. As illustrated, authentication systemmay comprise user, client, login, gateway, authentication service, policy management, identity management, identity management connector, environment, authentication method, on premises server, and network.

In some embodiments, usermay interact with clientthrough an interface, such as interface, as described with respect to. In some embodiments, clientmay be hardware or software that is in communication with systemover a network, such as network. In some embodiments, clientmay be a computer or a network of computers or computer software programs. In some embodiments, clientmay send a request, as described inbased on user input.

In some embodiments, a request sent from clientmay be sent to a gateway, such as gateway. In some embodiments, the request may be a request to login, such as login. It is to be understood that this is merely exemplary. In some embodiments, loginmay require userto log in with a credential to gain access to a computer system or program, such as clientby identifying and authenticating themselves to allow access to resource. In some embodiments, identity managementmay comprise gateway, authentication service, and policy management. In some embodiments, identity managementmay refer to a method of verifying the identities of entities and users on a network and determining the level of access to network resources that each entity and user has. In some embodiments, identity managementmay be used to secure systems and networks and keep data secure. In some embodiments, identity managementensures that only authenticated users are granted access to specific applications and components of a system. In some embodiments, identity managementmay work in conjunction with an identity service provider, as described in, to track identity information across a network. In some embodiments, identity managementmay provide a first line of defense against cyber threats by allowing users to only access the resources they need. In some embodiments, identity managementmay manage attributes related to a user or other entities that may require access to resources. Identity managementmay protect identities through digital technologies as described with respect to this application. In some embodiments, identity managementmay not include, but may operate in conjunction with, gateway, authentication service, and policy management.

In some embodiments, gatewaymay refer to a computing device on a network, such as network, that provides an interface between two applications or networks. In other embodiments, gatewaymay serve as a proxy between two applications, including as a proxy to a resource, such as resource, as described with respect to. In some embodiments, gatewaymay provide an interface between clientand identity managementover authentication system. In some embodiments, usermay also communicate with gateway, through, for example, interface.

In some embodiments, authentication servicemay be used to secure authentication of the identity of users and entities on network. In some embodiments, authentication servicemay be an identity verification mechanism. In some embodiments, the identify verification mechanism may confirm or deny that an identity is correct by comparing credentials associated with the identity with previously confirmed credentials. In some embodiments, authentication servicemay use a token as described with respect toto perform an authentication.

In some embodiments, identity managementmay operate using policy management. Policy managementmay refer to software that is used to assist policy owners with policies to identify, authenticate, and authorize users to have proper access to resources based on their identities.

In some embodiments, identity management connectormay be the connection between userand environment. Environmentmay comprise network, authentication method, and on premises server. Environmentmay refer to a group of servers that are privately owned and control by the owner of a system, such as authentication system. Environmentmay be on-premises, in the cloud, or a hybrid environment. On-premises environments may allow users to have full control of the environment infrastructure and maintain them based on their needs. A cloud environment may be stored and managed on a cloud provider server (e.g., AWS™, IBM Cloud™, Azure™, etc). Users may access a cloud environment through a web browser or interface. A hybrid on-premises and cloud environment may combine elements of both on-premises and cloud environments. In a hybrid setup, some applications or elements of the environment may be hosted in the cloud, while other applications or elements of the environment may be kept on-premises. Authentication methodmay refer to the method of authentication used to access the resource. In some embodiments, authentication methodmay refer to the use of a token, such as tokenor any other required methods to access the resource. Servermay refer to a server that is part of environmentand may be any server as described with respect to.

is a block diagramshowing an example server, consistent with the disclosed embodiments. Servermay be a computing device (e.g., a server, virtual machine, container instance, personal computer, mobile device, IoT device, etc.), and may include one or more associated processorsand/or memories. Consistent with disclosed embodiments, identity management, authentication service, policy management, environment, identity management connector, authentication method, and servermay be implemented in accordance with the elements of.

Processormay take the form of, but is not limited to, a microprocessor, embedded processor, or the like, or may be integrated in a system on a chip (SoC). Furthermore, according to some embodiments, processormay be from the family of processors manufactured by Intel®, AMD®, Qualcomm®, Apple®, NVIDIA®, or the like. The processormay also be based on the ARM architecture, a mobile processor, or a graphics processing unit, etc. The disclosed embodiments are not limited to any type of processor configured in server.

Memorymay include one or more storage devices configured to store instructions used by processorto perform functions related to server. The disclosed embodiments are not limited to particular software programs or devices configured to perform dedicated tasks. For example, memorymay store a single program, such as a user-level application, that performs the functions associated with the disclosed embodiments, or may comprise multiple software programs. Additionally, processormay, in some embodiments, execute one or more programs (or portions thereof) remotely located from server. Furthermore, memorymay include one or more storage devices configured to store data for use by the programs. Memorymay include, but is not limited to a hard drive, a solid-state drive, a CD-ROM drive, a peripheral storage device (e.g., an external hard drive, a USB drive, etc.), a network drive, a cloud storage device, or any other storage device.

In some embodiments, memorymay include a database. Databasemay be included on a volatile or non-volatile, magnetic, semiconductor, tape, optical, removable, non-removable, or other type of storage device or tangible or non-transitory computer-readable medium (e.g., memory). Databasemay also be part of serveror separate from server. When databaseis not part of server, servermay exchange data with databasevia a communication link. Databasemay include one or more memory devices that store data and instructions used to perform one or more features of the disclosed embodiments. Databasemay include any suitable databases, ranging from small databases hosted on a workstation to large databases distributed among data centers. Databasemay also include any combination of one or more databases controlled by memory controller devices (e.g., server(s), etc.) or software. For example, databasemay include document management systems, Microsoft SQL™ databases, SharePoint™ databases, Oracle™ databases, Sybase™ databases, other relational databases, or non-relational databases, such as mongo and others.

is a schematic diagram of an exemplary distributed systemfor implementing embodiments of the present disclosure. According to, server(e.g., similar to server) of distributed computing systemincludes a busor other communication mechanisms for communicating information, one or more processorscommunicatively coupled with busfor processing information, and one or more main processorscommunicatively coupled with busfor processing information. Processorscan be, for example, one or more microprocessors. In some embodiments, one or more processorsincludes processorand processor, and processorand processorare connected via an inter-chip interconnect of an interconnect topology. In some embodiments, processorcan be a dedicated hardware accelerator (such as a neural network processing unit) for processor. Main processorscan be, for example, central processing units (“CPUs”).

Servermay transmit data to or communicate with another serverthrough a network. Networkmay be a local network, an internet service provider, Internet, or any combination thereof. Communication interfaceof serveris connected to network, which may enable communication with server(e.g., also similar to server). In addition, servercan be coupled via busto peripheral devices, which may include displays (e.g., cathode ray tube (CRT), liquid crystal display (LCD), touch screen, etc.) and input devices (e.g., keyboard, mouse, soft keypad, etc.).